diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7bd01183f..137bd195c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
 
   test-ubuntu-latest:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4c7484b99..5055e6b8d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,11 +6,16 @@ on:
     # run weekly new vulnerability was added to the database
     - cron: '0 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     if: github.event_name != 'schedule' || github.repository == 'valkey-io/valkey'
+    permissions:
+      security-events: write
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 791bb275b..d63ba6ab5 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -6,6 +6,8 @@ on:
   - cron: '0 0 * * *'
   # Support manual execution
   workflow_dispatch:
+permissions:
+  contents: read
 jobs:
   coverity:
     if: github.repository == 'valkey-io/valkey'
diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
index a4ecf31ec..178d9b7ce 100644
--- a/.github/workflows/daily.yml
+++ b/.github/workflows/daily.yml
@@ -28,6 +28,8 @@ on:
         description: 'git branch or sha to use'
         default: 'unstable'
 
+permissions:
+  contents: read
 
 jobs:
 
diff --git a/.github/workflows/external.yml b/.github/workflows/external.yml
index bd6b43839..8111c5e6c 100644
--- a/.github/workflows/external.yml
+++ b/.github/workflows/external.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   test-external-standalone:
     runs-on: ubuntu-latest
@@ -29,7 +32,7 @@ jobs:
       if: ${{ failure() }}
       uses: actions/upload-artifact@v3
       with:
-        name: test-external-server-log
+        name: test-external-standalone-log
         path: external-server.log
 
   test-external-cluster:
@@ -81,5 +84,5 @@ jobs:
         if: ${{ failure() }}
         uses: actions/upload-artifact@v3
         with:
-          name: test-external-server-log
+          name: test-external-nodebug-log
           path: external-server.log
diff --git a/.github/workflows/reply-schemas-linter.yml b/.github/workflows/reply-schemas-linter.yml
index a57a97ab3..eb14a2720 100644
--- a/.github/workflows/reply-schemas-linter.yml
+++ b/.github/workflows/reply-schemas-linter.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - 'src/commands/*.json'
 
+permissions:
+  contents: read
+
 jobs:
   reply-schemas-linter:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/spell-check.yml b/.github/workflows/spell-check.yml
index e146b79c9..b4bc62e7b 100644
--- a/.github/workflows/spell-check.yml
+++ b/.github/workflows/spell-check.yml
@@ -9,6 +9,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Spellcheck